Multiple sniffer instancies: Difference between revisions

From VoIPmonitor.org
(Updated with clearer step-by-step guide, added troubleshooting section, systemd alternative, and AI Summary)
(Add use case: Multiple receiver instances for preventing CDR merging)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
=How to Run Multiple Sniffer Instances on a Single Host=
=How to Run Multiple Sniffer Instances on a Single Host=
[[Category:Configuration]]


Running multiple VoIPmonitor sniffer instances on a single host is useful when you need to:
Running multiple VoIPmonitor sniffer instances on a single host allows you to:
* Monitor multiple PBX systems via separate network interfaces
* Monitor multiple PBX systems via separate network interfaces
* Distinguish calls by the network interface they arrived through
* Assign different <code>id_sensor</code> values for licensing or organizational purposes
* Assign different <code>id_sensor</code> values for licensing or organizational purposes
* Use completely separate storage paths for different instances
* Use separate storage paths (<code>spooldir</code>) for each instance
* '''Prevent CDR merging from multiple sensors in packet mirroring mode''' (see below)


{{Warning|Do NOT use the GUI wrench icon to configure interfaces when running multiple instances. Interface settings must be configured in the local configuration files only.}}
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
flowchart TB
    subgraph HOST["Single Host"]
        I1[Instance 1<br/>eth0, id_sensor=1<br/>port 5029]
        I2[Instance 2<br/>eth1, id_sensor=2<br/>port 5030]
    end


== Step-by-Step Setup Procedure ==
    PBX1[PBX A] -->|SPAN| I1
    PBX2[PBX B] -->|SPAN| I2
    I1 --> DB[(MySQL)]
    I2 --> DB
    DB --> GUI[GUI]
</kroki>


To add a second instance when a single instance is already running correctly, follow these steps:
{{Warning|1=Do NOT use the GUI wrench icon to configure interfaces when running multiple instances. Interface settings must be configured in local configuration files only.}}


=== Step 1: Copy the main configuration file ===
== Use Case: Multiple Receivers Preventing CDR Merging ==


<syntaxhighlight lang="bash">
When multiple sensors send packets to a '''single receiver instance''' in packet mirroring mode (<code>packetbuffer_sender=yes</code>), calls may be merged into single CDRs, preventing per-sensor concurrent call monitoring.
cp -a /etc/voipmonitor.conf /etc/voipmon2.conf
</syntaxhighlight>


=== Step 2: Copy and modify the init script (if using init.d) ===
'''Solution:''' Run multiple voipmonitor receiver instances on the same host, one per sensor. Each instance binds to a dedicated <code>server_bind_port</code> and processes only that sensor's traffic.


<syntaxhighlight lang="bash">
<syntaxhighlight lang="ini">
cp -a /etc/init.d/voipmonitor /etc/init.d/voipmon2
# /etc/voipmonitor-sensor1.conf
id_sensor          = 1
server_bind        = 0.0.0.0:60024
server_bind_port  = 60024
server_password    = password1
 
# /etc/voipmonitor-sensor2.conf 
id_sensor          = 2
server_bind        = 0.0.0.0:60025
server_bind_port  = 60025
server_password    = password2
</syntaxhighlight>
</syntaxhighlight>


Edit the new script and replace all occurrences of <code>voipmonitor</code> with <code>voipmon2</code>:
Configure each remote sensor to send to its dedicated port:
<syntaxhighlight lang="ini">
# On Sensor 1
server_destination      = receiver.host.ip
server_destination_port = 60024


<syntaxhighlight lang="bash">
# On Sensor 2
vim /etc/init.d/voipmon2
server_destination      = receiver.host.ip
# In vim, use: :%s/voipmonitor/voipmon2/g
server_destination_port = 60025
</syntaxhighlight>
</syntaxhighlight>


=== Step 3: Edit the new configuration file ===
'''Note:''' Configuration options like <code>id_sensor</code> or <code>cdr_check_unique_callid_in_sensors</code> '''do not''' prevent CDR merging in packet mirroring mode. The only solution is separate receiver instances.
 
== Configuration Requirements ==


Edit <code>/etc/voipmon2.conf</code> and modify these critical options:
Each instance requires unique values for these parameters:


{| class="wikitable"
{| class="wikitable"
|-
|-
! Option !! Purpose !! Requirements
! Option !! Purpose !! Example (Instance 2)
|-
| <code>id_sensor</code> || Sensor ID for licensing/organization || Must be unique per instance
|-
|-
| <code>interface</code> || Network interface(s) to sniff || Must be unique or non-overlapping
| <code>id_sensor</code> || Sensor ID for licensing/GUI || <code>2</code>
|-
|-
| <code>managerport</code> || API port for GUI communication || Must be unique per instance (e.g., 5030, 5031)
| <code>interface</code> || Network interface to capture || <code>eth1</code>
|-
|-
| <code>server_bind</code> || Server process bind address/port || Must be unique per instance
| <code>managerport</code> || API port for GUI communication || <code>5030</code>
|-
|-
| <code>mirror_bind</code> || Mirror process bind address/port || Must be unique per instance
| <code>server_bind</code> || Server mode bind address:port || <code>127.0.0.1:60025</code>
|-
|-
| <code>spooldir</code> || Directory for PCAP/graph/audio files || Must be unique per instance
| <code>mirror_bind</code> || Mirror mode bind address:port || <code>127.0.0.1:60026</code>
|-
|-
| <code>maxpoolsize</code> || Maximum storage size for spooldir || Adjust for available disk space
| <code>spooldir</code> || PCAP/audio storage directory || <code>/var/spool/voipmonitor2</code>
|}
|}
{{Note|All '''bind options''' (server_bind, mirror_bind, etc.) must have unique values across all instances to prevent port conflicts.}}


Example configuration for <code>/etc/voipmon2.conf</code>:
== Step-by-Step Setup ==
 
=== Step 1: Copy configuration file ===
 
<syntaxhighlight lang="bash">
cp -a /etc/voipmonitor.conf /etc/voipmon2.conf
</syntaxhighlight>
 
=== Step 2: Edit the new configuration ===
 
Edit <code>/etc/voipmon2.conf</code> and set unique values:


<syntaxhighlight lang="ini">
<syntaxhighlight lang="ini">
[general]
id_sensor = 2
id_sensor = 2
interface = eth1
interface = eth1
managerport = 5030
managerport = 5030
server_bind = 127.0.0.1:5031
server_bind = 127.0.0.1:60025
mirror_bind = 127.0.0.1:5032
mirror_bind = 127.0.0.1:60026
spooldir = /var/spool/voipmonitor2
spooldir = /var/spool/voipmonitor2
</syntaxhighlight>
</syntaxhighlight>


=== Step 4: Verify RAM and storage capacity ===
=== Step 3: Create systemd service ===


Ensure the total resources across all instances do not exceed available capacity:
Create <code>/etc/systemd/system/voipmon2.service</code>:


* '''RAM:''' The sum of <code>ringbuffer</code> and <code>max_buffer_mem</code> from all instances must not exceed available free RAM
<syntaxhighlight lang="ini">
* '''Storage:''' The sum of <code>maxpoolsize</code> for all instance spool directories must not exceed available disk space
[Unit]
Description=VoIPmonitor Instance 2
After=network.target mysql.service


=== Step 5: Register and start the new service ===
[Service]
Type=forking
ExecStart=/usr/local/sbin/voipmonitor --config-file=/etc/voipmon2.conf
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
 
=== Step 4: Create spooldir and start service ===


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
mkdir -p /var/spool/voipmonitor2
systemctl daemon-reload
systemctl daemon-reload
systemctl enable voipmon2
systemctl enable --now voipmon2
systemctl start voipmon2
</syntaxhighlight>
</syntaxhighlight>


=== Step 6: Verify the service started successfully ===
=== Step 5: Verify startup ===
 
Check service logs for errors:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# Using journalctl (recommended)
journalctl -u voipmon2 -n 50
journalctl -u voipmon2 --since="2025-01-06" -n 50
 
# Or check syslog
tail -f /var/log/syslog | grep voipmon2
</syntaxhighlight>
</syntaxhighlight>


{{Warning|Verify there are NO errors in the logs before proceeding.}}
{{Warning|Verify there are NO errors in the logs before proceeding.}}


=== Step 7: Add the new instance to the GUI ===
=== Step 6: Register in GUI ===


1. Log in to the VoIPmonitor GUI
# Navigate to '''Settings > Sensors > Add Sensor'''
2. Navigate to '''Settings > Sensors'''
# Configure:
3. Click '''Add Sensor'''
#* '''Sensor ID''': <code>2</code> (matches <code>id_sensor</code>)
4. Configure:
#* '''Manager IP''': IP address of the host
  * <code>Sensor ID</code>: Matches <code>id_sensor</code> in the config file
#* '''Manager Port''': <code>5030</code> (matches <code>managerport</code>)
  * <code>Manager IP</code>: IP address of the sensor host
  * <code>Manager Port</code>: The <code>managerport</code> configured in the config file (e.g., 5030)


{{Tip|Do NOT use the GUI wrench icon to set the <code>interface</code> field. The interface is managed exclusively through the local configuration file.}}
== Troubleshooting ==
 
== Troubleshooting Multiple Instances ==


=== Duplicate Calls in GUI ===
=== Duplicate Calls in GUI ===


If you see duplicate calls, it typically means:
If both interfaces see the same traffic (overlapping SPAN), add to '''both''' config files:
* Both interfaces are seeing the same SPAN/mirrored traffic (e.g., VLAN trunking or inter-VLAN routing overlap)
* Packet deduplication is not enabled
 
Solution: Add to <strong>both</strong> configuration files:


<syntaxhighlight lang="ini">
<syntaxhighlight lang="ini">
Line 123: Line 152:
</syntaxhighlight>
</syntaxhighlight>


Reference: [[Sniffing_modes#Multiple_Mirrored_Interfaces_Issue]]
See [[Sniffing_modes#Multiple_Mirrored_Interfaces_Issue]] for details.
 
=== GUI Overwrites Configuration ===


=== Configuration Conflicts ===
Prevent GUI from overwriting local config settings:


If changes in the GUI are being applied to the wrong sensor:
<syntaxhighlight lang="ini">
* Ensure GUI wrench icon is NOT used for interface settings
mysqlloadconfig = no
* Verify each instance has unique <code>id_sensor</code>, <code>managerport</code>, and all bind options
</syntaxhighlight>
* Set <code>mysqlloadconfig = no</code> in each instance's config file to prevent GUI overwrites


=== Service Won't Start ===
=== Service Won't Start ===


* Check that all bind ports are unique and not already in use: <code>netstat -tulpn | grep -E '50[23][0-9]'</code>
* Check port conflicts: <code>ss -tulpn | grep -E '502[0-9]|6002[0-9]'</code>
* Verify <code>spooldir</code> paths exist and are writable by the voipmonitor user
* Verify <code>spooldir</code> exists and is writable
* Check logs for permission errors or missing dependencies
* Check logs: <code>journalctl -u voipmon2 -e</code>


== Alternative: Systemd Service Files (Modern Method) ==
== See Also ==


For modern systemd-based systems, you can create dedicated service files instead of copying init.d scripts.
* [[Sniffer_configuration]] - Configuration file reference
* [[Systemd_for_voipmonitor_service_management]] - Systemd service details
* [[Sniffing_modes]] - Traffic capture methods and SPAN setup
* [[Sniffer_distributed_architecture]] - Client-server mode and packet mirroring


Create <code>/etc/systemd/system/voipmon2.service</code>:


<syntaxhighlight lang="ini">
== AI Summary for RAG ==
[Unit]
Description=VoIPmonitor Instance 2
After=network.target mysql.service


[Service]
'''Summary:''' Guide for running multiple independent VoIPmonitor sniffer instances on a single host. Each instance requires unique values for <code>id_sensor</code>, <code>interface</code>, <code>managerport</code>, and bind options (<code>server_bind</code>, <code>mirror_bind</code>). Setup involves copying the config file, creating a systemd service unit with <code>--config-file</code> parameter, and registering the sensor in GUI. For duplicate calls when interfaces see overlapping traffic, use <code>auto_enable_use_blocks = yes</code>. To prevent GUI from overwriting local settings, use <code>mysqlloadconfig = no</code>.
Type=forking
ExecStart=/usr/local/sbin/voipmon2 --config-file=/etc/voipmon2.conf
User=voipmonitor
Restart=on-failure


[Install]
'''Keywords:''' multiple instances, single host, separate interfaces, id_sensor, managerport, server_bind, mirror_bind, dual PBX, systemd service, auto_enable_use_blocks, mysqlloadconfig, packet deduplication
WantedBy=multi-user.target
</syntaxhighlight>


Then enable and start:
<syntaxhighlight lang="bash">
systemctl daemon-reload
systemctl enable voipmon2
systemctl start voipmon2
</syntaxhighlight>
== AI Summary for RAG ==
'''Summary:''' This guide explains how to run multiple independent VoIPmonitor sniffer instances on a single physical host. Each instance requires unique values for id_sensor, interface, managerport, and all bind options (server_bind, mirror_bind, etc.). The procedure covers copying configuration files, modifying init scripts or creating systemd service units, and registering sensors in the GUI. It also addresses troubleshooting for duplicate calls and configuration conflicts.
'''Keywords:''' multiple instances, single host, separate network interfaces, id_sensor, managerport, server_bind, mirror_bind, PBX monitoring, dual PBX
'''Key Questions:'''
'''Key Questions:'''
* How to monitor two PBX systems on a single VoIPmonitor host?
* How to monitor two PBX systems on a single VoIPmonitor host?
* Why are calls duplicated in the GUI when using multiple sensors?
* Why are calls duplicated when using multiple sniffer instances?
* How to configure unique managerport and bind options for each sniffer instance?
* How to configure unique ports for each sniffer instance?
* How to prevent configuration conflicts between multiple sniffer instances?
* How to prevent configuration conflicts between multiple instances?
* When to use auto_enable_use_blocks for packet deduplication?
* How to create a systemd service for additional sniffer instance?

Latest revision as of 17:32, 10 January 2026

How to Run Multiple Sniffer Instances on a Single Host

Running multiple VoIPmonitor sniffer instances on a single host allows you to:

  • Monitor multiple PBX systems via separate network interfaces
  • Assign different id_sensor values for licensing or organizational purposes
  • Use separate storage paths (spooldir) for each instance
  • Prevent CDR merging from multiple sensors in packet mirroring mode (see below)

⚠️ Warning: Do NOT use the GUI wrench icon to configure interfaces when running multiple instances. Interface settings must be configured in local configuration files only.

Use Case: Multiple Receivers Preventing CDR Merging

When multiple sensors send packets to a single receiver instance in packet mirroring mode (packetbuffer_sender=yes), calls may be merged into single CDRs, preventing per-sensor concurrent call monitoring.

Solution: Run multiple voipmonitor receiver instances on the same host, one per sensor. Each instance binds to a dedicated server_bind_port and processes only that sensor's traffic. 

# /etc/voipmonitor-sensor1.conf
id_sensor          = 1
server_bind        = 0.0.0.0:60024
server_bind_port   = 60024
server_password    = password1

# /etc/voipmonitor-sensor2.conf  
id_sensor          = 2
server_bind        = 0.0.0.0:60025
server_bind_port   = 60025
server_password    = password2

Configure each remote sensor to send to its dedicated port: 

# On Sensor 1
server_destination      = receiver.host.ip
server_destination_port = 60024

# On Sensor 2
server_destination      = receiver.host.ip
server_destination_port = 60025

Note: Configuration options like id_sensor or cdr_check_unique_callid_in_sensors do not prevent CDR merging in packet mirroring mode. The only solution is separate receiver instances.

Configuration Requirements

Each instance requires unique values for these parameters:

Option Purpose Example (Instance 2)
id_sensor Sensor ID for licensing/GUI 2
interface Network interface to capture eth1
managerport API port for GUI communication 5030
server_bind Server mode bind address:port 127.0.0.1:60025
mirror_bind Mirror mode bind address:port 127.0.0.1:60026
spooldir PCAP/audio storage directory /var/spool/voipmonitor2

Step-by-Step Setup

Step 1: Copy configuration file

cp -a /etc/voipmonitor.conf /etc/voipmon2.conf

Step 2: Edit the new configuration

Edit /etc/voipmon2.conf and set unique values: 

id_sensor = 2
interface = eth1
managerport = 5030
server_bind = 127.0.0.1:60025
mirror_bind = 127.0.0.1:60026
spooldir = /var/spool/voipmonitor2

Step 3: Create systemd service

Create /etc/systemd/system/voipmon2.service: 

[Unit]
Description=VoIPmonitor Instance 2
After=network.target mysql.service

[Service]
Type=forking
ExecStart=/usr/local/sbin/voipmonitor --config-file=/etc/voipmon2.conf
Restart=on-failure

[Install]
WantedBy=multi-user.target

Step 4: Create spooldir and start service

mkdir -p /var/spool/voipmonitor2
systemctl daemon-reload
systemctl enable --now voipmon2

Step 5: Verify startup

journalctl -u voipmon2 -n 50

⚠️ Warning: Verify there are NO errors in the logs before proceeding.

Step 6: Register in GUI

  1. Navigate to Settings > Sensors > Add Sensor
  2. Configure:
    • Sensor ID: 2 (matches id_sensor)
    • Manager IP: IP address of the host
    • Manager Port: 5030 (matches managerport)

Troubleshooting

Duplicate Calls in GUI

If both interfaces see the same traffic (overlapping SPAN), add to both config files: 

auto_enable_use_blocks = yes

See Sniffing_modes#Multiple_Mirrored_Interfaces_Issue for details.

GUI Overwrites Configuration

Prevent GUI from overwriting local config settings: 

mysqlloadconfig = no

Service Won't Start

  • Check port conflicts: ss -tulpn | grep -E '502[0-9]|6002[0-9]'
  • Verify spooldir exists and is writable
  • Check logs: journalctl -u voipmon2 -e

See Also


AI Summary for RAG

Summary: Guide for running multiple independent VoIPmonitor sniffer instances on a single host. Each instance requires unique values for id_sensor, interface, managerport, and bind options (server_bind, mirror_bind). Setup involves copying the config file, creating a systemd service unit with --config-file parameter, and registering the sensor in GUI. For duplicate calls when interfaces see overlapping traffic, use auto_enable_use_blocks = yes. To prevent GUI from overwriting local settings, use mysqlloadconfig = no.

Keywords: multiple instances, single host, separate interfaces, id_sensor, managerport, server_bind, mirror_bind, dual PBX, systemd service, auto_enable_use_blocks, mysqlloadconfig, packet deduplication

Key Questions:

  • How to monitor two PBX systems on a single VoIPmonitor host?
  • Why are calls duplicated when using multiple sniffer instances?
  • How to configure unique ports for each sniffer instance?
  • How to prevent configuration conflicts between multiple instances?
  • How to create a systemd service for additional sniffer instance?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Multiple_sniffer_instancies&oldid=10624"